MGM Hack Analysis: Security Still a Test of Your Weakest Link
As Cybersecurity Awareness Month is upon us once again, the recent MGM Resorts cyberattack reminds us that attackers are still constantly on the prowl and even the largest organizations among us are not immune to their predation.
The MGM incident, which began on Sept. 11 and resulted in approximately 10 days of costly downtime for the organization, has reportedly exposed more than 6 terabytes of data, including full names, dates of birth, addresses, email addresses, phone numbers and Social Security numbers and/or driver’s license numbers of hotel guests and patrons. It has exposed them not only to federal fines but also to a class-action suit that has already been filed.
Two cybercriminal organizations working in tandem — Scattered Spider and ALPHV — have claimed credit for the attack. It comes hot on the heels of a similar incident that the Caesars Resort chain reported to federal regulators on Sept. 7.
The MGM attack was interesting from several security aspects that constantly need to be top of mind. In this post, we’ll cover areas we still need to make sure are receiving the right amount of attention from a security engineering perspective — particularly at organizations that remain high-value targets for bad actors.
Humans Are Still the Weakest Link
Once upon a time, when we would talk about the 7-Layer Open Systems Interconnection (OSI) model we used to call the invisible “Layer 8” the human layer. Despite being conceived in the 1970s, this remains a hard-learned truth.
If we look at the MGM incident, it was a classic social engineering attack that began with mining employee information on LinkedIn, then leveraging that data to pose as the employee with the support center to bypass more complex multifactor authentication by issuing a one-time password (OTP). This post by CyberArk does a really good job of breaking down the attack step by step.
What’s interesting to note is the level of preparedness the threat actors demonstrated once the initial privilege escalation was achieved. They then were able to wreak havoc and chaos in all of the MGM Resort systems.
What started off with manipulating the support engineering to escalate privileges, ultimately wound up costing the company billions of dollars by taking many of its critical business systems down for an extended period — everything from slot machines to check-in/check-out, online reservations, guest keycards and much more.
All of this was made possible by successfully impersonating an MGM employee through sophisticated social manipulation and not the expected and more commonplace technical systems hacking. Many times this information is mined even from social media polls and other ways that are seemingly harmless to the participants. Scattered Spider performed quite a bit of reconnaissance and information gathering in advance to be ready once multifactor authentication was bypassed.
When talking about MFA (or 2FA), the various factors involved should be from different types. The common types are:
- Something you know (such as a password)
- Something you have (a badge or smartphone)
- Something you are (fingerprint or other biometric means of identification)
Using these together is considered a best practice for securing modern systems and is often difficult to forge when required together. That is why the most critical piece to making this breach possible was bypassing this requirement altogether.
The Multipronged Approach
After the computer systems were disabled, next came the technical exploitation of the privileges acquired, which also demonstrated familiarity with the systems that would be encountered.
The exploitation of a known feature in Okta made it possible to eventually encrypt servers running the organization’s most critical applications, which then started to break down one by one. This forced hotel employees to perform day-to-day tasks manually, such as requesting credit card numbers be written on a piece of paper during check-in, an equally problematic security practice that also indicates a poor security culture.
Once the systems were compromised, a ransomware attack was initiated by the ALPHV group that required MGM to make difficult decisions when it came to recovery. It was forced to delete critical assets that had no backup in order to be able to restore in a reasonable timeframe — data recovery being another important pillar of security engineering. Caesars reportedly paid $30 million in a similar ransomware attack a week before to prevent exposing customer data.
Just as DevOps has DORA metrics to define engineering quality, and mean time to restore, we’ve spoken about security DORA metrics that we believe should be equally important to engineering organizations, which include the mean time to recover from security attacks. This can be a good indicator of the quality of your security hygiene and AppSec program.
Incident response playbooks are a good way to prepare teams in high-pressure situations to have step-by-step guides for best practices to restore critical systems when they go down. This is true for both DevOps and DevSecOps, and it is meant to automate as much of the manual toil as possible. This will free up your engineers to focus on the critical aspects to restoring business-critical systems as quickly as possible, with as little disruption and economic loss to the companywhen every minute counts.
More Tough Lessons Learned
The most important takeaway from this incident is understanding how critical a part every person in your organization plays in ensuring information security — in the hopes of avoiding similar incidents in the future. From the most junior workers to more senior employees, security training with a particular focus on novel social engineering strategies is becoming ever more critical.
Scattered Spider, who took credit for the attack, are not new threat actors, and there have been several notices regarding its sophisticated social engineering activity by the FBI, following attacks on Reddit and Western Digital. Companies need to continue to invest in security training for all employees, just as they invest in their professional onboarding and training.
Just the sheer numbers in economic loss due to cybercrime, estimated at $3 trillion annually, should be driving greater security-mindedness and culture in big data organizations. From ensuring that all employees know what information they are allowed to share on social media to practicing real-world social engineering scenarios with employees who might be subject to such manipulation, through best practices for maintaining security hygiene in the throes of such a security breach. (Pro tip: Not writing credit card numbers on pieces of paper is a good start!)
Companies should also invest in the practice of security champions, who have been proven to improve security hygiene and culture in organizations.
In addition, it’s not enough to have incident response playbooks if no one knows how to run them in real time. Similar to backups, you don’t really have a backup if you’ve never tried to restore. This same mindset needs to apply for security engineering as well. Make sure security teams practice different incident response scenarios all the time and know how to function in real time. It’s even recommended to create incident response playbooks as code when possible to automate much of the process to allow the humans to focus on the higher-order problems of incident response.
Today, with the advancement of generative AI and Deepfake technology, an even greater scope of identity forgery will be made possible that companies need to be better equipped to handle. This is particularly true with regard to remote communications with the victim (for example, by phone call). Greater measures and factors now need to be taken when it comes to secure remote identification, very much like MFA to systems, even in a voice conversation to not expose organizations to unnecessary risk.
Threat actors are becoming more sophisticated, working together and the payoff is great when they are successful. We need to make extra efforts to up our security game to avoid being the next devastating headline.